Users login

So Many Holes, So Few Hacks

by Nikola Strahija on December 30th, 2002Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.
Despite the thousands of hackable holes that lurk in e-mail, on websites, in files and operating systems, most users' computers are never afflicted with more than the virtual version of a sniffle.

Few of the ominous potential traumas reported in 2002 turned out to have any real impact on most computer users. The Klez virus infected some machines and spawned spam that continues to clutter many e-mail inboxes. And the Linux Slapper worm made more work for some systems administrators for a while.

The rest of 2002's reported security holes appear to have languished, unexploited.

Some security experts suggest that malicious code attacks do happen but are dismissed by most users as just another wonky Windows software crash. But those same experts also cheerfully confess that most exploits aren't all that exploitable, and that the security industry profits by stirring up fear and frenzy.

Experts also wonder whether they and their colleagues devote entirely too much time to pouring over program code looking for possible exploits.

"I'd love to see people in the industry turn their attention to developing broad-reaching security tools that make a real difference rather than focusing on finding each and every little possible exploit," security consultant Richard Smith said.

But the frenzied bug-hunting has become a way of life, said George Smith, a columnist for SecurityFocus.

"Since everyone hunts bugs, no one can afford not to do it or they risk being thought of as subpar, behind in the computer security rat race, not as geeky or on the case," Smith said.

"Think of (bug reports), no matter how confidently quoted in a press release or a website, as a continuing wail of desperation: 'Look, look, look at me. See what I did at the firm did today and why you need me.'"

And since security companies are in the business to make money, the more threats they find, the better, says Mike Sweeney, a network consultant.

"There is also the geek factor at work," Sweeney said. "These guys love puzzles, so digging for a new security hole is their idea of having a life. It's not all wasted effort, either. Some of the security companies do sell very useful tools to help find and fix security threats."

In fact, experts said that the good geeks who are looking for the holes in order to patch them are far more diligent than the bad geeks who are looking to exploit them.

"Of all the people with the know-how to write malicious software that successfully exploits Windows desktop software, the vast majority are too busy and basically (too) decent to waste their time on this type of anti-social 'intellectual' exercise," George Smith said.

Experts also pointed out that the majority of security alerts are intended for the security industry, not for end users.

"The average user wouldn't know a hack if it walked up and bit them," Sweeney said. "And many of the so-called security holes require a very specific event to occur and the odds are very slim that it will occur.

"But, since it's theoretically possible someone might use this flaw as an attack method, it's reported as a 'security hole.' It's like saying there is a chance your car will roll over in a crash, therefore we will report the car as defective and a risk to you. Duh!"

But experts also agreed that it's probably better to search for those holes than to ignore potential security problems, even if bug hunting sometimes seems like a futile activity.

"In the computer security game, you can't be an Edward Jenner and come up with a vaccine for electronic smallpox that will put you in the history books and eventually result in the complete eradication of the disease," George Smith said. "You can only be the guy that spots the electronic poison ivy and suggests people either steer clear or buy calamine."